CVE-2026-44183 Overview
Cleanuparr is an automation tool that cleans up unwanted or blocked files in Sonarr, Radarr, and supported download clients such as qBittorrent. CVE-2026-44183 is an authentication bypass vulnerability in the TrustedNetworkAuthenticationHandler.ResolveClientIp function. The handler parses the leftmost entry of the X-Forwarded-For HTTP header as the client IP address. Because X-Forwarded-For is append-only and client-controlled, an unauthenticated remote attacker can spoof a trusted local IP and pass the trusted-network check. The exploit authenticates the attacker as the Cleanuparr administrator. The issue is fixed in version 2.9.10 and tracked under [CWE-290] Authentication Bypass by Spoofing.
Critical Impact
An unauthenticated remote attacker can gain administrator access to Cleanuparr by sending a single HTTP request with a spoofed X-Forwarded-For header.
Affected Products
- Cleanuparr versions prior to 2.9.10
- Deployments exposing the Cleanuparr web interface to untrusted networks
- Cleanuparr instances behind reverse proxies that do not sanitize X-Forwarded-For
Discovery Timeline
- 2026-05-12 - CVE-2026-44183 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44183
Vulnerability Analysis
The vulnerability resides in Cleanuparr's trusted-network authentication path. Cleanuparr can be configured to automatically authenticate requests originating from trusted local networks, removing the need for credentials on internal traffic. To determine the client IP, TrustedNetworkAuthenticationHandler.ResolveClientIp reads the X-Forwarded-For header and takes the leftmost value. The handler then compares that value against the configured trusted-network ranges. If the IP matches, the request is authenticated as the Cleanuparr administrator without any credential check. Because the leftmost entry of X-Forwarded-For is supplied by the original HTTP client, an attacker controls the value used in the trust decision. The flaw maps to [CWE-290], where an authentication mechanism is bypassed by spoofing trusted client identity.
Root Cause
The X-Forwarded-For header is append-only by design. Each intermediate proxy appends its observed source IP to the right side of the header. The leftmost value is therefore the value submitted by the original client and is not trustworthy. The Cleanuparr handler treats this attacker-controlled value as authoritative, which collapses the trusted-network boundary into a header check that the attacker controls.
Attack Vector
An unauthenticated attacker sends an HTTP request to a reachable Cleanuparr endpoint and includes a header such as X-Forwarded-For: 127.0.0.1 or another IP within the trusted-network range. The handler parses this value, matches it against the trusted networks, and issues an authenticated administrator session. The attacker then performs any administrative action exposed by the application, including modifying cleanup rules, reading configuration, and pivoting into linked Sonarr, Radarr, and download client credentials. No user interaction is required and the attack complexity is low. See the GitHub Security Advisory GHSA-8q44-v65j-jc3q for additional technical detail.
Detection Methods for CVE-2026-44183
Indicators of Compromise
- HTTP requests to Cleanuparr containing X-Forwarded-For headers with loopback or RFC1918 addresses arriving from external sources
- Unexpected administrator-level configuration changes within Cleanuparr audit logs
- New or modified credentials for connected Sonarr, Radarr, or qBittorrent integrations not initiated by an authorized operator
Detection Strategies
- Inspect reverse proxy and web server access logs for inbound requests where the leftmost X-Forwarded-For value is a private or loopback IP but the TCP source is a public address
- Alert on Cleanuparr administrative API calls that lack a preceding interactive login event
- Compare the IP recorded by the upstream proxy against the IP parsed by Cleanuparr to identify mismatches
Monitoring Recommendations
- Forward Cleanuparr application logs and reverse proxy logs to a centralized analytics platform for correlation
- Track the running Cleanuparr version across deployments and flag instances below 2.9.10
- Monitor outbound connections from Cleanuparr hosts for unexpected interaction with download clients or media managers
How to Mitigate CVE-2026-44183
Immediate Actions Required
- Upgrade Cleanuparr to version 2.9.10 or later without delay
- Restrict network exposure of the Cleanuparr web interface to trusted management networks only
- Rotate credentials stored within Cleanuparr for Sonarr, Radarr, and download client integrations if exposure is suspected
- Review Cleanuparr audit logs for unauthorized configuration changes
Patch Information
The maintainers fixed the issue in Cleanuparr 2.9.10. The patch corrects how TrustedNetworkAuthenticationHandler.ResolveClientIp determines the client IP so that attacker-controlled X-Forwarded-For values cannot satisfy the trusted-network check. Refer to the Cleanuparr GitHub Security Advisory for release details.
Workarounds
- Disable the trusted-network authentication feature until the upgrade is applied
- Configure the upstream reverse proxy to strip or overwrite the X-Forwarded-For header on inbound requests before they reach Cleanuparr
- Bind Cleanuparr to a loopback or internal-only interface and require authenticated VPN access for management
# Example NGINX configuration to overwrite client-supplied X-Forwarded-For
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://cleanuparr_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
